Saturday, January 29, 2011

When is a secondary nameserver hit?

Take this scenario:

domain: foobar.com
ns1:    2.2.2.2
ns2:    3.3.3.3

My question: Is ns2 hit just in the event that ns1 is down? Or, is ns2 hit any time that ns1 returns a miss/doesn't resolve the query? I know ns2 would be hit if ns1 ever went down; but, what if ns1 is up and just doesn't have the data?

  • If NS1 doesn't have the data, NS2 will not be used. Any server that is listed as a valid DNS server for a domain is assumed to have the proper data so if NS2 says there's no such record when queried, the computer making that request will assume that is correct.

    From
  • NOTE: This answer is about DNS client configuration. After some comment discussion, it now appears to me that the OP could be asking about DNS server or domain DNS configuration. If that is the case the premise holds (NS2 only hit if NS1 not available), but the specifics are not relevant.


    The DNS client queries the secondary DNS Server only when the primary DNS server does not respond. If the primary responds with "sorry, wrong number", that response is passed back from the DNS client to the application attempting to communicate.

    UPDATE

    While a particular DNS client can be programmed to do whatever it wants, the standard is to go in order.

    From the Microsoft Technet Understanding DNS client settings page - emphasis mine.

    Configuring a DNS servers list

    For DNS clients to operate effectively, a prioritized list of DNS name servers must be configured for each computer to use when it processes queries and resolves DNS names. In most cases, the client computer contacts and uses its preferred DNS server, which is the first DNS server on its locally configured list. Listed alternate DNS servers are contacted and used when the preferred server is not available. For this reason, it is important that the preferred DNS server be appropriate for continuous client use under normal conditions.

    From the Ubuntu Resolver man page - emphasis mine

    The different configuration options are:

    nameserver Name server IP address

    Internet address (in dot notation) of a name server that the resolver should query. Up to MAXNS (currently 3, see ) name servers may be listed, one per keyword. If there are multiple servers, the resolver library queries them in the order listed. If no nameserver entries are present, the default is to use the name server on the local machine. (The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)

    fahadsadah : Why was this downvoted?
    ktower : Because it is wrong? From the resolver's perspective, there is no such thing as "primary DNS" and "secondary DNS" servers in this case. Both are equally authoritative for the zone and equally likely to receive (and respond to) a query.
    ktower : For the record, I was not the one who downvoted you. The document you quote seems to describe how a (Windows) client chooses a DNS server from a "locally configured list" to do recursive queries. The OP appears to be asking how queries arrive to DNS servers listed as being authoritative for a zone. As the NS RR has no "priority" field, any DNS server listed within the zone should be considered equally authoritative and equally likely to receive a DNS query.
    tomjedrz : OK - I think - for some reason I missed that he was asking about configuring the DNS server.
    From tomjedrz
  • if ns1 is up and just doesn't have the data?

    If NS1 is "up", and returns NXDOMAIN (no data), then clients will cache it. They won't waste their bandwidth trying NS2.

    I know ns2 would be hit if ns1 ever went down

    This is not necessarily true: If NS1 is down (does not respond/timeout), some dns clients will simply give up.

    For high availability applications, assume both nameservers are single points of failure. The terms "primary" and "secondary" are obsolete, with regards to DNS servers.

    Evan Carroll : why would you ever not-hit ns2 if ns1 is down? what is it there for then?
    John Gardeniers : "This is not necessarily true: If NS1 is down (does not respond/timeout), some dns clients will simply give up." Care to offer some examples of this broken behaviour?
    geocar : @John Gardeniers : This is an observation from the result of a bet made running tcpdump on a pair of busy nameservers, and turning one of them off. Less than 40% of sites (assuming sites are /16) tried the other nameserver when they queried the down nameserver. Since then, I've always assumed some popular dns cache was buggy here.
    John Gardeniers : @geocar, thanks for that info, which is interesting to say the least.
    geocar : @Evan Carroll: pehrs answered your first question one on another answer. The reason it's *there* is largely historical; old versions of BIND were very slow, and so resolvers can try either NS response. If it times out, they can again try *either* NS response. This works well if you're trying to distribute load, but it means they cannot reliably be used for failover. Modern nameservers aren't slow enough for this to be a good reason, which is why I say they're obsolete.
    From geocar
  • Note that which server the clients will hit depends on resolver implementation. Some resolvers will strictly go for NS1, some will randomly chose NS1 or NS2. In either case if the server responds they will not try the other server. The only time they try the other server is when the first server is unable to serve the request.

    To have a look at a more realistic scenario:

    #dig NS google.com 
    ;; QUESTION SECTION:
    ;google.com.            IN  NS
    
    ;; ANSWER SECTION:
    google.com.     297286  IN  NS  ns3.google.com.
    google.com.     297286  IN  NS  ns2.google.com.
    google.com.     297286  IN  NS  ns4.google.com.
    google.com.     297286  IN  NS  ns1.google.com.
    
    ;; ADDITIONAL SECTION:
    ns1.google.com.     297067  IN  A   216.239.32.10
    ns2.google.com.     297074  IN  A   216.239.34.10
    ns3.google.com.     297074  IN  A   216.239.36.10
    ns4.google.com.     297067  IN  A   216.239.38.10
    

    And then we do it again:

    #dig NS google.com
    ;; QUESTION SECTION:
    ;google.com.            IN  NS
    
    ;; ANSWER SECTION:
    google.com.     297249  IN  NS  ns3.google.com.
    google.com.     297249  IN  NS  ns2.google.com.
    google.com.     297249  IN  NS  ns1.google.com.
    google.com.     297249  IN  NS  ns4.google.com.
    
    ;; ADDITIONAL SECTION:
    ns1.google.com.     297030  IN  A   216.239.32.10
    ns2.google.com.     297037  IN  A   216.239.34.10
    ns3.google.com.     297037  IN  A   216.239.36.10
    ns4.google.com.     297030  IN  A   216.239.38.10
    

    Here you can see how google chages the order of the nameservers to spread out the clients more evenly, to avoid exactly the scenario where multiple clients their NS1. They still include all the servers to make sure that if one goes down you will get your data through. If one of them gives bad answers you are out of luck however. It's not a situation DNS is designed to handle.

    From pehrs
  • +1 to tomjedrz for being right, from the DNS client perspective. When a DNS client needs to resolve a DNS record it queries it's configured DNS servers, in order of precedence (Preferred then Alternate) as tomjedrz stated.

    +1 to ktower for being right from the DNS server perspective when that DNS server is acting as a resolver for a DNS client.

    When my computer needs to resolve a DNS name, it queries it's configured DNS servers, in order if needed. If those servers are not authoratative for the name in question they will attempt to locate and query a name server or name servers that are authorative for the domain in question, in any order, on behalf of the DNS client.

    From joeqwerty

0 comments:

Post a Comment